Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

What is an APT?: Advanced Persistent Threat Overview

4 min read
Last updated January 6, 2022

An advanced persistent threat or APT is an attacker that lurks within your environment for an extended period of time, drops malware and other malicious software in your environment, and exfiltrates valuable data.

It's one of the more scary threats an organization could face because they're designed to evade detection and if they're found out, it may be many months or even years since the APT first entered a company's environment.

In this article, we'll go over what is an APT, who's likely to suffer from this kind of threat, and what kind of mitigation and defense tools you can use to prevent an APT from compromising your organization.

Who's Most Commonly Targeted by APT Attacks?

apt targets

Traditionally, enterprises and governments were most targeted by APTs as the nature of the attack requires resources, targeted efforts, and highly sophisticated methods.

Because, by definition, APTs lurked in an environment for a long time and sought to steal data, it wasn't a threat smaller companies often faced or needed to worry about.

However, there is a growing trend that's seeing APTs target smaller enterprises,  mid-sized companies, and government partners and contractors. Intellectual property theft is still highly valuable and more and more companies are finding themselves attacked by APTs.

Research from Kaspersky published in late 2020 showed that a major APT group, Deathstalker, was focusing on small to medium financial organizations, a stark difference from the entities most commonly targeted.

Who's Behind APT Attacks?

Nation-state hacker groups are most often behind APT attacks, with US-sponsored groups even leveraging the technique against their adversaries. But APT groups are also on the rise and well-funded hacker groups are now leveraging the attack.

How an Advanced Persistent Threat (APT) Works

Because APTs stay within an organization's environment for so long, there's a lengthy lifecycle to the threat. Here's a breakdown.

Initial Compromise and Access

This is the initial stage that comes after the APT has done their homework and knows how to get into the targeted organization. Whether through spearphishing, social engineering, attacking a network directly or exploiting a software or device vulnerability, the APT will eventually make its way in.

Malware Deployment for Deeper Penetration

Once inside, the attacker will deploy a number of malware and other tools that will help it lurk within your organization undetected, create a backdoor in case they're caught, and establish a C&C (command and control) connection for remote access.

Expansion and Lateral Movement

After deploying the necessary malware, the attacker can start moving freely, leveraging newly created tunnels, escalated privileges, and additional techniques like brute force password cracks that provide access to other parts of your network while remaining undetected.

Capture Sensitive or Valuable Data

Because this kind of attack is so sophisticated and targeted, an attacker likely knows exactly what they're looking for. Once they're able to access critical folders, assets, and parts of your network, they can start capturing this data.

This is often done via malware and other tools that will silently capture information across multiple resources, compress it, and encrypt it so it's hidden from administrators.

Exfiltration and Potential Exit

Jackpot. If successful, the attacker will start sending the compromised data out to the C&C server or another accessible location like an already compromised server.

To further evade detection, the data may get encrypted, or the attacker may launch a white noise attack on the organization to distract the security team and tie up resources.

This can take the form of a DDoS attack or other forms of attacks that can easily be detected so the organization is forced to react.

Unfortunately, this doesn't spell the end of the APT. Depending on how successful they believe they were or whether they can make use of additional data, the APT may continue to lurk within your environment and siphon data.

Alternatively, they may also leave a backdoor (often created in step 2) open so they have a way in whenever they need to. This reduces the risk of unnecessary detection while ensuring that they can return to stealing data whenever there's an attractive opportunity.

APT Tactics and Techniques

apt tactics

An APT is a multifaceted attack and takes advantage of a number of different tools and methods to compromise a network, evade detection, and exfiltrate valuable data. Methods include:

Employee compromise: An APT needs deep access within an organization. An easy vector can be an employee who absentmindedly clicks on an email or downloads an attachment. Phishing, spearphishing, and social engineering attacks target employees.

Vulnerability exploitation: During the research phase, an APT may have a list of software, devices, partners, and vendors you're using. They may even know whether you've updated them or not. If they know you're leaving yourself vulnerable they may use or develop an attack to exploit that known vulnerability.

Malware, rootkits, and trojans: APTs use a number of tools like rootkits once inside that let them further compromise networks, prevent detection as they move laterally across an environment, exploit vulnerabilities, and siphon data.

How to Defend Against an APT attack

Because APTs leverage a number of different attack methods and tools, it may seem intimidating to defend against them. However, that's precisely the reason why you should be investing in a number of defense tools and processes that limit how susceptible you are to these types of attacks.

Implement Network and Endpoint Monitoring and Detection tools

Monitoring capabilities are a must in order to know whether or not a malicious actor has entered your environment and whether or not they're moving laterally and accessing critical files or data.

The right kind of detection and monitoring tools should alert you, in real-time, when an authorized individual enters your network so you can respond as quickly as possible. The faster you can act, the less time an APT has to hide.

Keep Your Employees Trained and Aware

Security awareness training is crucial here since they're usually compromised in the first step of infiltration. Helping employees spot phishing emails, counteract social engineering attacks, and appropriately raise the alarm will help your organization stay vigilant.

Ensure You're Not Needlessly Exposed

APTs can also make their way in by exploiting known vulnerabilities. This can result from a lack of updating software and devices and applying necessary security updates. By not maintaining a patch management schedule, you're increasing your risk exposure.

Limit Your Permissions and Admin Privileges

APT attackers often move laterally because they need to reach an account with elevated permission, access, or privileges to capture sensitive data and deploy malware. By enforcing a policy of least privilege, you're drastically minimizing the number of accounts that, if compromised, could be used by APT threats.

Defending Against APTs Requires a Strong Security Posture

APTs can be scary threats given that they're often hard to detect and are pinpointed to the organization that's targeted. But it doesn't mean you can't defend against them and fundamental cybersecurity tools and solutions play an important role.

As you're building your security posture, you should already be thinking about a layered cybersecurity approach. Prioritize network monitoring, endpoint detection, and response, ensure only a few accounts have escalated privileges, and train your employees.

Together, these provide a strong, comprehensive, proactive defense against many types of attacks, including APTs. The challenge is in finding the right tools and partners.

To learn how Varonis' Data Security Platform provides comprehensive monitoring, analytics, detection, and monitoring capabilities, all with a dedicated team behind it, check out the solution page here.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Speed Data: The Next Generation of Cybersecurity With Mark Weber
Executive in Residence for the Catholic University of America Mark Weber shares tips for mentoring future cybersecurity professionals.
Varonis Leads DSPM Market on Gartner Peer Insights
As a leader in data security, Varonis is proud to be rated No. 1 in Gartner’s Data Security Posture Management category.
Speed Data: Fusing Empathy and Enterprise With Illena Armstrong
Illena Armstrong shares her advice for future executives, discusses the importance of teamwork, and explains why empathy is powerful for leaders.
AI At Work: Three Steps To Prepare And Protect Your Business
Discover how your business can prepare and protect your sensitive data from the risks that generative AI presents.